This is the Security 13r3 Release Notes Document. It is an extract of the 13r3 Release Notes showing only the security fixes made. It can be used by security sensitive customers to decide whether an update of the innovaphone structure is needed with a new Service Release.

Service Releases are planned for the second Monday each month.

Please see the disclaimer before using the information presented here!

Security 13r3

13r3 Service Release 3 (137803)

139670 - Addtional protection against theoretical XSS possibility in pbx_appclient_popup.htm

• The page does not work anymore, if loaded without a window.opener.
• The page does not work anymore, if loaded in a standard browser, just in the myApps launcher.
• The URL-Parameter does not allow data-URLs anymore.

13r3 Service Release 4 (137818)

142560 - App Devices: do not allow to provision a device to a different domain if already provisioned

It is not longer possible to provision a device into another domain if the device is already inside a domain in devices.

If you want to reprovision a device to a different domain, you must first remove it from its current domain.

13r3 Service Release 5 (137834)

143535 - Enable "password protect all HTTP pages" in install.htm

After completing the installation, the option shall be enabled by default.

Idea: hide information like device type, MAC address, firmware version that is displayed on the start page of the advanced UI.

144019 - myApps Windows: improved signature validation in update service

13r3 Service Release 7 (137863)

146639 - App Devices: security fix for a possible privilege escalation through the provisioning process

Requirements to perform the attack:
* enabled checkmark "Deploy domain passwords on all devices" on the domain
* standard PBX user account with access to the Profiles App

Attack scenario:

* phone provisioning using the Profile App could be abused to gain access to the domain password by authenticated but non-privileged users

Fix:
* the creation of provision codes through the Profiles and Users Admin App now creates non administrative provision codes
* the creation of provision codes through the Devices App creates administrative provision codes (as just administrators have access to the Devices App)
* if a non administrative provisioning code is used, the provisioned device gets a random password as administrative password
* if an administrative provisioning code is used, the provisioned device still gets the domain password

Already provisioned devices:
* all non phone devices will be automatically handled as if provisioned with an administrative provisioning code and will still get the domain password
* all phone devices will still get the domain password, but you can decide to switch these devices to random passwords too: <a href="https://wiki.innovaphone.com/index.php?title=Support:Device_password_deployment_mechanism_changed_in_13r3SR7/13r2SR25" target="_blank">https://wiki.innovaphone.com/index.php?title=Support:Device_password_deployment_mechanism_changed_in_13r3SR7/13r2SR25</a>

New devices:
* all devices provisioned by the automatic provisioning process will get random passwords (no matter which device type)
* a device provisioned with a provisioning code will get either a random or the domain password depending on how the code was created (see Fix above)
* phone devices added manually in the Devices UI will get random passwords
* non phone devices added manually in the Devices UI will get the domain password

Direct access to a device with a random password:

you can request the clear text password in the Devices App in the settings of a device

If you reprovision an already provisioned device, the device will get a new random sysclient password.

Discovered by PenTesting of SSyS

13r3 Service Release 8

149035 - App Platform Manager: restrict access to manager logs

The log file directory of the App Platform manager itself had wrong access rights which allowed read access for non root users.

13r3 Service Release 8